Target IP: 10.10.56.98
Looks like only two ports are open on the target machine: HTTP and RDP.
The host is running Windows OS. The web server is IIS/10.0. This link mentions there are multiple vulnerabilities for this version of web server.
Port 80: HTTP
Only a single directory exists called retro.
The directory fuzz result above shows the host is running WordPress application.
The WordPress version is 5.2.1.
The webpage above is displayed when we visit the reto directory.
Doing a wpscan to enumerate users shows a user called wade exists.
Is this a password of wade?
I was able to login to the WordPress using wade:parzival. We should be able to gain a reverse shell connection
The payload that I will use. From manual enumeration, we know that the server is running PHP.
I put PHP Ivan Sincek reverse shell inside the 404.php file for twentysixteen theme.
I started a listener on port 8443, browsed to http://10.10.56.98/retro/wp-content/themes/twentysixteen/404.php, and got a reverse shell connection back. Now I have a foothold on the Windows machine.
Using the credentials I obtained, I was able to RDP into the machine as wade.
The OS Version seems to be 10.0.14393 N/A Build 14393.
Doing a Google search pointed to public exploit for this vulnerability.
I downloaded the exploit on my local machine and started a Python server. Then I transferred this exploit from my machine to the target machine using Powershell and ran it. And I gained full control of the machine.
The user.txt flag once I used RDP to login as wade.
The root.txt flag once I gained an NT/Authority shell.